Test for locked account in auth.c (bug #442).
Ben Lindstrom
mouring at etoh.eviladmin.org
Mon Jan 13 01:50:01 EST 2003
On Sun, 12 Jan 2003, Kevin Steves wrote:
> On Sun, Jan 12, 2003 at 09:59:52PM +1100, Darren Tucker wrote:
> > /* check for locked account */
> > - if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
> > + if (passwd && (strcmp(passwd, "*LK*") == 0 || /* Solaris,IRIX */
> > + strcmp(passwd, "*") == 0 || /* HP-UX,Tru64 */
> > + strstr(passwd, "Nologin") || /* Tru64 */
> > +#ifdef __osf
> > + /* Tru64 but we also want to allow "passwordless" accounts */
> > + (passwd[0] == '*' && strcmp(passwd, "*NP*") != 0) ||
> > +#endif
> > + passwd[0] == '!')) { /* Redhat */
> > log("User %.100s not allowed because account is locked",
> > pw->pw_name);
> > return 0;
>
> i just wonder if we really want to attempt all these checks. if you
> lock a user's password but leave the authorized_keys file permitting
> access is the account locked? there's a split in opinion on that i
> think.
>
> also, it may be simpler to check for strlen(passwd) < 13, as it may be
> safe to always consider that an invalid password. maybe.
>
Is blowfish, md5, etc all the same length hash? And are we going to have
the same issues knowing when to use the correct size for locking the
password?
- Ben
More information about the openssh-unix-dev
mailing list